3

I have searched and searched but not found a way to do this. The answers I found said to get a second nic and dedicate that to the windows guest. My host is linux mint 16.

I see how to specify a network adapter for the guest, but how do I make it so the windows guest has internet access but can't get to any other computer on the host's network.

I want to make sure that even if the guest's ip address is manually changed that it can't access the rest of the network. It should only see itself (and maybe the host).

Improve this question

3 Answers 3

Reset to default
2

This can be done in VirtualBox.

You must choose a connection which allows use of iptables to control packets. Thus neither NAT nor Bridge will do because they do not create a user-accessible NIC. You should use Host-only Network instead, which creates on the host a user-accessible interface called vboxnet0.

To configure it, File -> Preferences -> Network -> Host only Network -> Plus sign to create it, then Screwdriver -> DHCP Server, enable DHCP Server. Save settings, start the VM.

Now, on the guest you need to set the host as its gateway: default IP for the host is 192.168.56.1. Use Google to find instructions on how to do this on Windows. And, possibly, you may have to set the DNS servers.

On the host, all of these instructions as sudo:

1) Enable IP forwarding: 

  echo "1" > /proc/sys/net/ipv4/ip_forward

2) Issue the following iptables rules:

  iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
  iptables -A FORWARD -m iprange --dst-range 192.168.1.2-192.168.1.254 -j DROP
  iptables -I FORWARD -m iprange --src-range 192.168.1.2-192.168.1.254 -j DROP

The first rule allows access to the internet of the VM; the second pair bans the VM from accessing the LAN, except of course for you router and broadcast address.

The above rules assume that the host is connected via eth0, that your LAN is 192.168.1.0/24, thar your router and broadcast address are 192.168.1.1 and 192.168.1.255, respectively. If they are not, change them accordingly.

Improve this answer
3
  • Ok this did not quite work. I see where you are going with this but for some reason the guest has no internet access. I manually set the ip to 192.168.56.101 because the guest did not receive a gateway with dhcp. Also, for dns I tried 192.168.1.1, 192.168.56.1, 8.8.8.8 and none worked. I can't ping out to anywhere, not even the vboxnet0 ip Also, I ran into this problem with your scripts and made the same modification as here: stackoverflow.com/questions/14391035/… Any other ideas?
    – user277244
    Commented Dec 21, 2013 at 18:32
  • If the guest did not receive an IP address, it means you did not enable a DHCP server. what is the routing table on the guest? can you ping from guest to host? Viceversa?
    – MariusMatutiae
    Commented Dec 21, 2013 at 18:47
  • @xmrkite With a little modification which I inserted in my answer (thanks for pointing this out to me) this configuration works flawlessly on my system.
    – MariusMatutiae
    Commented Dec 23, 2013 at 6:57
0

The short answer is, you can't get the isolation you want with just VirtualBox. A VM will always inherit the same network availability as the host (assuming Bridged or NAT networking modes).

You have four networking choices in VirtualBox:

  1. Bridged: Shares the connection with one of the host's adapters. This would be as if the VM(s) and the host were all plugged into the same switch. VMs can access everything the host can access.

  2. NAT: VirtualBox places a virtual NAT firewall between the host's adapter and the virtual network. VMs can still access everything the host can access.

  3. Host Only: The VM can only communicate with the host computer.

  4. Internal: The VM(s) are on an isolated network and can only communicate with other VMs on the same internal network.

None of these options fulfill your requirements, so in VirtualBox alone, it can't be done. As you mentioned, adding an additional NIC provides the physical separation needed to create the separation you want.

Improve this answer
0

Ok I figured out a great solution that only needs 1 network card in the host os.

  1. Give the guest OS a Host Only Adapter (default one is vboxnet0) and make sure vboxnet0 does dhcp.
  2. Install squid proxy (sudo apt-get install squid3
  3. Open the file /etc/squid3/squid.conf and make the following changes: A. Find the line with "http_access deny all" and comment it out by placing a # at the beginning of the line. B. Paste the following two lines into the file:
    1. acl allcomputers src 192.168.56.0/255.255.255.0
    2. http_access allow allcomputers
  4. Restart the squid 3 service by running: sudo service squid3 restart
  5. In the guest OS make sure dhcp is set for the network card
  6. Open Internet Explorer's Internet Options, Go to the Connections Tab, Click on Lan Settings..., Check the box for Proxy Server and make the address 192.168.56.1 and the port 3128.
  7. Internet works now on the guest and the guest can not see the local network.

Thanks for the help in this post. It guided me in the right direction to find Squid3. The whole setup here takes 5-10 minutes and is very easy.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .